[manyxcxi]

I wholeheartedly disagree about letting regulators have anything to do with technology. It moves too fast and has too many interpretations to be codified into common sense law, leaving just the big pocket corps to write the regulations just like they've already done everywhere else.

How do you define reasonable security practices? If there's PII, what's reasonable then? What's reasonable today OAuth, tokens, 2FA was over the top crazy/impractical/expensive/impossible in 2001. You think there's going to be a committee evolving this crap every month in perpetuity?

On top of that, if actual harm comes to users of these devices as a result of these devices then we already have plenty of consumer laws protecting them. Granted, they're going to have to come up with ways to apply it sometimes and you're going to have to prove it was that device that allowed the harm, but we have it.

I will say this though: I'm mostly okay with laws (whether they exist or not yet) that say that if your negligence or stupidity was the root cause, as a manufacturer of these goods, you are on the hook for a multiplier of damages. There are a lot of companies out there that know they are pushing shit to market in a race to the bottom and then just claim security is hard and they tried their best when clearly, they knew about an 8 year old bug and shipped anyway. I'm that case, I'm okay with hitting them hard.

[cstross]

> I'm mostly okay with laws (whether they exist or not yet) that say that if your negligence or stupidity was the root cause, as a manufacturer of these goods, you are on the hook for a multiplier of damages.

Such laws won't work, however, without a regulatory framework that ensures that -- for example -- click-through EULAs aren't used to lock customers into sleazy "binding arbitration" agreements that sacrifice their rights in return for permission to use an appliance they bought in good faith.

It may be difficult for regulators to keep up with specific technologies, but much tougher consumer rights protection is essential in order to hold negligent manufacturers responsible, because it's cheaper for the cowboy manufacturers to hire a lawyer to draft some dodgy contract boilerplate than it is for them to hire security experts and ship a safe product.

[manyxcxi]

I agree with that. I'm much more in favor of punishing harshly when the mess up happens and could've been avoided but for willful negligence than trying to write a bunch of catch all regulations before we have a problem.

I think, at least in the US, we need much stronger consumer advocacy laws, something with teeth that can't be arbitrated down by a group of expensive lawyers.

We'd have to find a balance though, as we are already way too litigious and we'd be stifling innovation out of fear of getting accused of negligence.

[gherkin0]

I think it's a little bit of this, a little bit of that. We need regulation to attempt to enforce baseline security practices (e.g. no passwords in cleartext, encryption during authentication, etc), since that can be proactive if not comprehensive. In addition to that, we need stronger consumer advocacy and liability for the more complicated, unanticipated cases.

> We'd have to find a balance though, as we are already way too litigious and we'd be stifling innovation out of fear of getting accused of negligence.

If we're "way too litigious" to the point of stifling innovation, then I think the problem and solution are in a completely different area than this.

[LinuxBender]

I am a technologist; and yet, I am all for stifling innovation with IoT. The folks creating these devices are not qualified to make decisions for themselves or for us.

[manyxcxi]

What decisions are they making for you? It's your decision to opt in to their system by buying. As a technologist you have a good idea how to spot the crappy ones that can put you at risk- or would just (rightly) assume that something like an internet connected Elmo is a bad idea. It's the general population that we have to worry about, as they'll be the ones most seriously harmed (identity theft is the thing I worry most about any of this) by these things going awry. They may also not even put things together that some of these devices could be or are internet connected in the first place, where to us it's obvious that there must be network connectivity of some sort.

That being said, let the bad actors fail. Let their names get dragged through the mud, let the big companies sober up after a few too many VTech/Mattel/LG style failures that make the headlines. Let them either back out of the market because this shit is hard to keep secure, let them work with someone who can, or let them triple down and figure it out themselves. We're going to see a lot of failures, but we'll be better for it.

I've connected my own devices around my house (securely), use z-wave, and consumer home automation hubs/hardware, as well as some well known stuff like Nest and Amazon Echo. I don't ever want to go back to NOT having these things.

I've accounted for many of the likely failure points by these very well regarded manufacturers and I've firewalled my network very tightly, among many other things. But damn it, I've seen the future and I don't want to go back. It's too nice, too convenient, and adds too much real value.

It's your decision to buy their goods, no one should be preventing anyone from trying to enter the market just because you get the heebie jeebies or don't see the value. Someone else does- or no one else does and they fold up shop.

[LinuxBender]

History has shown us that all the the IoT devices are poorly coded at best and completely un-managed at worst.

It is also assumed that these devices have unfettered internet access. Most of them can do HTTPS. Either you allow it or you don't. How many Barbie dolls have been having inappropriate conversations with children that a human would otherwise be arrested for? How many televisions are feeding audio from families back to a company? How long is this data saved? Who has access to it? When must it be destroyed? What legal protections does anyone have against data abuse? What is deemed data abuse? If it turns out I am being spied on, what binding agreement do I have with the manufacturer and seller that will make them feel pain? Are they obligated to give me more than, "We're sorry. Gosh, we're just so darn sorry."

Sorry, no. These devices need to be recycled before they are ever used.

[LinuxBender]

EULA's and binding arbitration clauses are not valid when up against negligence. You can not legally waive negligence in most countries, no matter what a web form or paper contract says. It is not legally binding.

[Silhouette]

On top of that, if actual harm comes to users of these devices as a result of these devices then we already have plenty of consumer laws protecting them.

The trouble with this is that "actual harm" in a legal context tends to mean something that can be proven in some specific context and have some specific monetary value attached to it.

Personally, I think harm is also done if someone knows their financial details might have leaked and then worries about their credit record and future financial security, or if someone discovers that a creep somewhere in another country has been watching their baby sleeping, or if a "smart" TV has been transmitting personal conversations of whatever nature from the living room to someone else. However, if we're only talking "actual damages", how do you decide what financial compensation is appropriate in such cases?

In reality, the most damaging violations probably aren't the ones with tangible financial losses attached, because financial losses can at least be made good after the fact. You can't make up for lost time, though maybe you can at least assign some nominal value to compensate for time spent on things like updating credentials after a breach. No amount of money can make up for the kind of distress caused to a teenager if a compromised device leaks something like their diary or an intimate video of them getting changed and the results go all around their school.

If security and privacy implications for the Internet of Things are to be taken seriously, I suspect the laws will need updating so that (a) there is a presumption of harm in cases where personal information leaks to an unintended party, and (b) there is a punitive value attached to leaks that cause non-monetary damage, with that value being very high for leaks that cause severe and/or ongoing distress.

I don't think this needs regulation. All it needs is a scale of meaningful penalties, leading up to company-destroying fines and/or jail time for executives for the most serious infringements caused by gross negligence or malice.

[JoBrad]

You can't hold someone liable for a standard that isn't legally defined. So, defining regulation that sets a reasonable expectation of security that every IoT manufacturer has to adhere to is not a bad idea, and helps everyone.

> On top of that, if actual harm comes to users of these devices as a result of these devices then we already have plenty of consumer laws protecting them.

When was the last time a software company was held liable for their software not working correctly, and exposing users unnecessarily? Most of them EULA their way out of any lawsuit to begin with.